[ad_1]
Apple has published a tart response to a full Google report stating a serious security breach in iOS. The flaw, which allowed an attacker to gain root access on a device visiting a malicious website, was reported last week. Apple wants to "make sure all our customers have the facts", which is fun because it's likely we would not have all facts if Google had not documented this issue so rigorously.
In a brief press article, Apple says it has heard the concerns of its customers and wants to make sure they know they are safe.
According to Apple, the attack was "narrowly targeted" and did not constitute a "mass" exploit. "The attack hit less than a dozen websites focused on Uighur-related content," Apple wrote.
It is true that only a small number of websites have been affected, Google said that these websites were visited thousands of times a week and that the attacks had been active for about two months. Even a conservative estimate based on these numbers suggests that more than one hundred thousand devices could easily have been surveyed and, if they were vulnerable, infected. If only 1 in 100 people was an iPhone, it would be a root access to a thousand of the target population. This estimate at the lowest seems to me already enough "en masse".
Moreover, although non-Uighurs among us may feel better than we were not the target of this campaign, it is a great comfort because the target demographic could have been a political or religious institution as well. which we participate.
Apple rejects Google's idea that it offers "the ability to target and monitor the private activities of entire populations in real time". It was, according to Apple, "fanning fear among all iPhone users that their devices have been compromised."
Google's warning in this case, however, seems relevant. An undetectable root exploit for current iPhones deployed via a popular website to a targeted population? This should fuel fear among all iPhone users, as it seems obvious that they could very well have been compromised before. After all, there is no proof that this attack targeted by the Uyghurs was the only one.
Apple points out that "when Google contacted us, we were already fixing exploited bugs". But who then wrote a long technical discussion on the subject so that other security researchers, as well as consumers, would be aware?
It's a little puzzling for Apple to say that "iOS security is second to none" when discussing an incredibly dangerous and powerful exploit that has apparently been successfully deployed against an ethnic minority by, almost certainly, the only state -nation having an interest in doing so then. Did Apple explain to Uyghurs, whose phones were completely and visibly supported by malware, that everything is fine because "security is an endless journey"?
If Google Project Zero researchers had not documented this problem, we probably would not have heard of it, except as an anonymous "security patch" decimal separator in our mobile operating systems.
Travel or not, it was a serious security failure that seems to have been exploited successfully and maliciously in the wild. Apple's sour grapes and its defensive language are out of place here, and a mea culpa would have been better at the company.
[ad_2]
Source link